We talk to the security experts behind BHIM, the new digital payments app by the National Payments Corporation of India. Here's what we learnt about the app's security and functionality.

BHIM, the new digital payments app launched by the National Payments Corporation of India, is riddled with bugs. The app is supposed to simplify digital transactions by bringing UPI based transactions to Android users (and iOS by Jan 10). All you need to do is have your mobile number linked to your bank account, and the app will automatically retrieve other details such as your account number and branch information from your bank. This binding of a mobile number to a particular bank account is a function of UPI. So all you need is a bank registered mobile number and you are good to transfer money to anyone, anywhere instantaneously. But is it really that simple? Is it even safe to use the BHIM app? Let’s find out

BHIM: The easy-to-use app that refuses to work

When BHIM launched all of 4 days ago, it was thought to be a revolutionary new step by the government of India. But, it seems like everyone was quick to pass a judgement on the app. The idea of a single app for all banking related transactions may be a very bright and noble one, but its implementation is a whole other story. While many users who downloaded the app on launch day were able to transact with ease, the same is not the case 4 days, 3 million downloads and 5 lakh transactions later.

Some user reviews of the app on Play Store

Multiple users have reported that none of their transactions are going through after linking their accounts with the BHIM App. Besides failed transactions, users have also been facing issues trying to generate OTPs and mPINs during the registration process within the app. Now, while OTP generation could be an issue at the bank’s end, failed/invalid transactions could be a result of overloaded servers. Saket Modi, CEO of Lucideus, one of the teams behind the security of the BHIM app says, “The scalability of the server is a one time problem, once this is solved it (the app) will absolutely be at par. When you make credit or debit card transactions, there are no issues because they expect an X amount of traffic and that is there. Plus minus 10-20% is ok. BHIM is a new thing and three million downloads in three days, I don’t think has happened anywhere in the world till date.” Comparing private companies and government organisations, Modi also pointed out that the pace at which decisions are made in the latter is usually slower, because govt organisations follows a set procedure, hence when a decision is reached to increase the capacity of the servers supporting BHIM, the problem of transaction errors should be fixed “very soon.”

That said, Modi also pointed out that “It’s not that simple to push an update to the app because of so many dynamic variables which are involved.” So if you were hoping the app would stop generating transaction/registeration errors overnight, you might have to wait a while before things settle into a smooth functioning pattern.

Those who were utterly unsuccessful at linking their bank accounts with BHIM, may have to uninstall the application and download it again. It took us multiple attempts before we could get our account linked to the app. In some cases, certain bank accounts are still not being able to function in tandem with the app. For example, a Standard Chartered account refuses to set up a 6-digit UPI pin using the BHIM app, even after multiple tries.

How secure is the BHIM app?

As of now, it seems like BHIM is running a pretty tight ship as far as security is concerned; an impression we have after speaking to the security team behind the app. Although Lucideus’ Modi says “nothing can be 100% safe,” he believes that BHIM’s three-factor authentication is strong enough to keep out amateur hackers or as he calls them “script kiddies.”

“Your phone number and your device ID is bound with this app. It really takes the ownership of that device. By this I mean, it’s an authentication mechanism in itself. Why? Because number one, that device will be operational at that time. The data that it (BHIM) is storing on the device is also encrypted and all the new operating systems including iOS and Android uses containerisation, which means my apps data only I can access, nobody else can access. That’s a standard feature true for any application running on Android, which is true for this app also,” says Modi.

What this essentially means is that the data generated by BHIM is stored in an authenticated and encrypted area of a user’s mobile device. The practice is also sometimes reffered to as application sandboxing, although in its true sense, sandboxing is supposed to isolate applications completely, which is not the case with BHIM. In fact, Modi tells us that the 4-digit PIN used access the app, is stored on a user's device itself. This could be accessed by a hacker if your phone is ever stolen, as Modi points out that “there is nothing known as 100% encryption.” But, the app also needs a 4 or 6 digit UPI PIN to transact or check other account details, which is in turn stored on the UPI servers and will act as another step of authentication before a hacker can make use of the BHIM app to transact.

So essentially, the three-factor authentication includes, the binding of the device ID and the app, the registered mobile number with the bank and the UPI PIN that you set for transactions. “Even if your phone gets stolen and someone replicates your SIM by giving fake documents to an a service provider, they will not be able to transact on the app,” assures Modi.

While the steps taken to secure the app seem pretty stringent, what remains to be seen is how security is kept up on the apps server, which could be the main target of malicious attackers. In the near future, the government is also looking to add fingerprint authentication for UPI transactions, which will still need a PIN or two, says Modi.

Contests

Forum Discussion

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit.in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.